All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Kamil Jońca" <kjonca@op.pl>
To: netfilter@vger.kernel.org
Subject: Proper way to ipsec filtering
Date: Sun, 17 Apr 2022 08:37:47 +0200	[thread overview]
Message-ID: <878rs48bb8.fsf@alfa.kjonca> (raw)


What is the best way to create rules used to ipsec traffic filtering?

So far I have bunch rules created per reqid like that:
table ip filter { # handle 13

chain INPUT { # handle 1
                type filter hook input priority filter; policy drop;
                iif "eth0" ipsec in reqid 1 counter packets 100672 bytes 11492891 jump ipsec-in-1 comment "ed19af3c-f504-11e9-b59d-00e081736ba6/1/in" # handle 326
                [...]

 }

[...]
        chain ipsec-in-1 { # handle 323
                ip saddr yyy ip daddr xxxx/24 counter packets 50871 bytes 5614784 jump c1 # handle 325
                ip protocol ipencap ip daddr zzzz counter packets 49801 bytes 5878107 accept # handle 324
        }

}

And insert / remove rules from INPUT  (and add / delete ipsec-in-*
chains) during connecting disconnecting clients.
This was I configured when I migrated from iptables some time ago.
But I believe this is not the best method for nftables. So has anybody
suggestion what is the best practicte to handle this situation?
I tried to use maps/vmaps but reqid cannot be use as index.

Am I missing something?
KJ

-- 
http://stopstopnop.pl/stop_stopnop.pl_o_nas.html

             reply	other threads:[~2022-04-17  6:37 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-04-17  6:37 Kamil Jońca [this message]
2022-04-18 10:14 ` Proper way to ipsec filtering Florian Westphal
2022-04-18 20:41   ` Kamil Jońca

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=878rs48bb8.fsf@alfa.kjonca \
    --to=kjonca@op.pl \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.